At a glance.
- United Healthcare Services discloses data breach.
- Fire rescue breach exposes patient data.
- IBM’s MOVEit-linked breach impacts state agency data.
- Medicaid member data compromised in Indiana.
United Healthcare Services discloses data breach.
JDSupra reports that United Healthcare Services (UHS) experienced a breach that exposed the data of nearly 400,000 individuals. UHS filed a data breach notice with the US Department of Health and Human Services Office for Civil Rights (OCR), but very few details were included. While the notice does not specify what types of data were exposed, only incidents compromising consumers’ protected health information are typically required to be reported to OCR.
Dror Liwer, co-founder of cybersecurity company Coro, commented that healthcare data tend to be attractive and recent. “Cyber criminals love healthcare data because it is usually recent, and very accurate from a PII perspective. This makes the data extremely valuable in the secondary market and is very useful for fraud purposes. This is why any organization that maintains healthcare records must utilize encryption, and continuously audit its own systems as well as its vendors systems that have access to these records.”
Fire rescue breach exposes patient data.
In the US state of Maine, a fire rescue service has suffered a third-party data breach. Augusta Maine Fire Rescue uses a company called EMS Management Consultants for emergency medical services support, and the company has disclosed one of their online tools was compromised by an unknown actor who stole data from the server. The potentially compromised data include patient names, dates of transport, Social Security numbers, dates of birth, encounter/transport numbers, and billing codes. WMTW explains that those impacted will be contacted via mail.
Colorado Department of Health Care Policy & Financing (HCPF) suffers breach from Cl0p ransomware incident.
Security Affairs reports that the US state of Colorado’s Department of Health Care Policy & Financing (HCPF) was impacted in a cyberattack targeting tech giant IBM. Threat actors infiltrated IBM’s servers by exploiting the vulnerability recently discovered in the popular MOVEit file transfer platform. IBM, which is a third-party contractor for HCPF, uses MOVEit to transfer HCPF data files, and it's estimated that the personal health data of over 4 million members of HCPF’s state health programs were compromised. According to the breach filing, once HCPF learned of IBM’s breach, the government agency conducted an investigation that revealed that "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023."
The compromised data include full name, Social Security number, date of birth, home address, and other contact, demographic, and income information. Dark Reading notes that HCPF is the second Colorado government agency to disclose a cyberincident this month, as the Colorado Department of Higher Education recently revealed it suffered a ransomware attack in June. TechCrunch adds that while IBM has yet to publicly confirm that it was impacted by the MOVEit mass hacks, Missouri’s Department of Social Services (DSS) has also said it suffered a third-party breach due to its connections with IBM. Interestingly, the ransomware gang behind the MOVEit hacks, Cl0p, says has not listed Colorado’s HCPF or Missouri’s DSS on its leak site and claims it is not in possession of any government data.
Sally Vincent, Senior Threat Research Engineer at LogRhythm, reviewed what was compromised and why it matters. "The Colorado Department of Health Care Policy & Financing (HCPF) has alerted over four million individuals about a data breach affecting personal and health information. The breach, caused by Clop ransomware exploiting a MOVEit Transfer zero-day, impacted HCPF's contractor IBM, leading to potential exposure of details such as names, SSNs, Medicaid IDs, clinical data, and more for Health First Colorado and Child Health Plan Plus members. This incident follows right on the heels of a cyberattack on the Colorado Department of Higher Education (CDHE) and resulting data breach involving unauthorized access to the Department’s systems spanning a 13-year period and compromising names, social security numbers, dates of birth, addresses, photocopies of government IDs, and in certain cases, police reports or complaints related to identity theft." She added, "Apart from the difficulties of handling and identifying internal IT threats, evaluating risks associated with third parties is equally important. Especially in the healthcare sector, effective communication and notification tools, along with a profound grasp of configuring complex IT environments, becomes crucial. This allows healthcare establishments an all-encompassing perspective of abnormal and harmful actions across the board, facilitating swift and exhaustive counteractions. By leveraging a robust security monitoring system that grants holistic transparency, including for third-party vendors, the likelihood of spotting compromise indicators and efficiently countering threats would have been significantly increased."
Ken Westin, Field CISO, Panther Labs, thinks the breaches connected with MOVEit exploitation have been difficult for organizations to identify. "MOVEit is deployed in many healthcare organizations as well as government healthcare programs, recently I dug into the compromise of the Oregon Health Plan. The reporting on these breaches has been slow I believe because many of the organizations were not able to tell immediately if they were compromised and had to bring in third parties to identify the compromise, and given the protected nature of some of the data under HIPAA there is also legal/regulatory aspects that may have slowed down the notifications." He offers the sensible observation that the first step toward an organization's securing itself from this vulnerability is determining whether it uses MOVEit. "The first step for many orgs is to identify if MOVEit is used in their environments. I may sound silly, but hardware and software asset inventory is difficult for many healthcare organizations given the dynamic nature of their networks, as well as being more resource-constrained than you would see in other industries. If the organization has identified MOVEit in their environments they best course forward is to assume compromise and work backwards, they need to ask themselves 'what access was there?' "what other applications and data sources were connected?" a lot of these questions would usually be answered in their SIEM or Security Data Lake, however if they do not have logging for these systems it may require a third-party response team to come in to help identify if they have been compromised."
(Added, 9:15 PM ET, August 15th, 2023.) Ani Chaudhuri, CEO of Dasera, wrote with some extensive comment on this particular software supply chain issue. The risk extends, of course, to many other organizations. "Indeed, the MOVEit software breach incident at IBM that led to Colorado HCPF's data exposure is just the tip of the iceberg in what appears to be a larger vulnerability affecting several organizations," Chaudhuri said. "While the specific details about every breached entity might not always be public, it is imperative to understand that the software's widespread usage makes it an attractive target. The recent disclosure by Colorado State University, which was similarly breached due to the vulnerability in the MOVEit Transfer software, affecting thousands of students and staff, underscores the urgency. If MOVEit's vulnerability can affect educational institutions of such magnitude, it stands to reason that healthcare providers with a similar reliance on the software could be at equal, if not greater, risk, given the value of health data in the dark market." And Chaudhuri offered some advice on managing this risk. "In light of these breaches, healthcare providers must take a multi-pronged approach to damage containment:
- "Immediate Assessment: Conduct a rapid and comprehensive assessment to ascertain the extent of the breach. This involves understanding the nature of accessed data, the duration of unauthorized access, and potential secondary access points that the threat actors might have established.
- "Notify Affected Parties: Transparency is essential. Informing affected individuals meets regulatory obligations and allows them to take personal protective measures, such as monitoring for suspicious activities.
- "Enhanced Monitoring: Deploy advanced monitoring solutions to identify suspicious activities or data access patterns. This will help detect any malicious activities from the breach in real-time.
- "Rethink Data Storage and Access: Minimize the exposure of sensitive data by implementing robust data governance principles. This means limiting access based on necessity, employing end-to-end encryption, and frequently auditing data access logs.
- "Software Patching and Updates: Ensure all systems and software are updated with the latest patches. Regularly liaise with software vendors for updates on vulnerabilities and corresponding patches.
- "Employee Training: Often, the success of ransomware campaigns, like the one that exploited the MOVEit vulnerability, hinges on human error. Regular training of staff on the latest cybersecurity threats and maintaining a culture of vigilance can act as the first line of defense.
- "Collaborate and Share Information: Collaborate with other organizations, regulatory bodies, and cybersecurity entities to share knowledge about threats and best practices. This collaborative approach will not only bolster individual defenses but also strengthen the broader healthcare community's resilience against cyber threats."
- "Cyber Insurance and Legal Counsel: Ensure that cyber liability insurance is in place. A legal team well-versed in cybersecurity issues can also guide on regulatory obligations and potential legal ramifications post-breach."
Chaudhuri concluded, "While the current scenario paints a grim picture, it's also an opportunity. An opportunity for healthcare providers to reevaluate, reinvent, and fortify their data protection mechanisms, ensuring the sanctity of patient data now and in the future."
Medicaid member data compromised in Indiana.
In the US state of Indiana, the data of over 744,000 people enrolled in Medicaid have been compromised in yet another MOVEit-linked breach. WDRB reports that Maximus Health Services, a contractor affiliated with the Indiana Family and Social Services Administration, was the target of the attack. As a result, an intruder accessed the names, addresses, case numbers, and Medicaid numbers of Indiana Medicaid members who had received a communication from Maximus regarding the selection of a “managed care entity.” As well, the Social Security numbers of four additional Medicaid members were exposed. Fox 59 notes that Maximus reportedly stopped using MOVEit on May 31 after learning of the zero-day vulnerability, but unfortunately the attacker had already infiltrated their systems just days prior.